2FA for .nz Domains

Mark Hansen

Background

My website is on .co.nz. And so is my email. I want good security for my domain registration, because hacking domains allows you to intercept email, and intercepting email allows resetting passwords on other services.

A minimum bar for "good security" in 2020 is two-factor-authentication support, or 2FA. However, it seems relatively few .nz domain registrars offer this. This post summarizes my research into which registrars do.

Whois Privacy

The Individual Registrant Privacy Option (IRPO) is for individual registrants that are not using the domain name for significant trade.

All NZ registrars are required to provide this, but most international registrars go through resellers and don't support whois privacy. So I want an official NZ registrar that the DNC deals with directly.

Research

I went through the registrars listed, and a few big international ones. I'm looking for ones that fill me with confidence - 2FA and preferably big enough to invest in a security team. I've (a bit harshly) ruled out a lot of sites that don't inspire confidence, through being small, having bad web design. These businesses are probably fine, but I'm explicitly prioritising security and confidence.

I used to use 1stdomains for their low prices.Just ridiculous that they don't have 2FA in 2020. UI hasn't updated in ~10 years, which doesn't inspire confidence that they have an empowered dev/security team.

UI is quite bad. Registering with their UI is a pain. I ran into bugs in uploading zones, had to email them, they manually fixed my data but AFAICT didn't fix the underlying issue. Not confidence inspiring

Probably great security, but they're a reseller, so don't support whois privacy.
Google Domains now actually allows you to buy with a billing address in Australia (you used to have to fake it to the USA): https://support.google.com/domains/answer/4639612?hl=en. But not New Zealand billing addresses. Wild.

Their header logo 404s. Doesn't inspire confidence.
I emailed them on their contact email and got "Your message wasn't delivered to contact@godomains.co.nz because the domain godomains.co.nz couldn't be found. Check for typos or unnecessary spaces and try again."

Conclusion

I think I'll go with Gandi. They're a huge international operator with a long history and a big enough dev team to support an API, they probably also

Runner-up prize would go to Metaname. They were the first in NZ to do 2FA (as early as 2013!), and I tried their site, but it was very lo-fi, hard to use, and I found a few bugs, particularly with importing zones, and when I emailed them about this, I got good support (in that they reached into my domain and fixed the problem) but they didn't fix the underlying bug that caused me to get into a bad state in the first place. I don't want to have to contact them every time I get into a bad state. Sorry Metaname!

A lot of people recommend iwantmyname.co.nz as a NZ-based operator that's clued up, but their support pages are currently all broken, all redirecting to the same blog post from 2014, and that doesn't inspire confidence.

crazydomains.co.nz has reasonable prices, but their site search is broken, which doesn't inspire confidence. And they're part of an international outfit (crazydomains.com.au looks exactly the same) which increases the chance that they'll be big enough to support a security team.

It's a real shame, but I think operators that only serve the NZ market are unlikely to have enough economy of scale to support a security team. There would be ways around this — contracting with some of the excellent security companies in NZ might be an alternative?